diff options
Diffstat (limited to 'debian/patches/CVE-2022-3324.patch')
| -rw-r--r-- | debian/patches/CVE-2022-3324.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-3324.patch b/debian/patches/CVE-2022-3324.patch new file mode 100644 index 0000000..59b60e6 --- /dev/null +++ b/debian/patches/CVE-2022-3324.patch @@ -0,0 +1,65 @@ +From: Markus Koschany <apo@debian.org> +Date: Mon, 7 Nov 2022 00:48:30 +0100 +Subject: CVE-2022-3324 + +Origin: https://github.com/vim/vim/commit/8279af514ca7e5fd3c31cf13b0864163d1a0bfeb +--- + src/testdir/test_cmdline.vim | 22 ++++++++++++++++++++++ + src/window.c | 5 ++++- + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 3878637..4a35201 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -620,5 +620,27 @@ func Test_report_error_with_composing() + call assert_equal('yes', caught) + endfunc + ++" This was resulting in a window with negative width. ++" The test doesn't reproduce the illegal memory access though... ++func Test_cmdwin_split_often() ++ let lines = &lines ++ let columns = &columns ++ set t_WS= ++ ++ try ++ set encoding=iso8859 ++ set ruler ++ winsize 0 0 ++ noremap 0 H ++ sil norm 0000000q: ++ catch /E36:/ ++ endtry ++ ++ bwipe! ++ set encoding=utf8 ++ let &lines = lines ++ let &columns = columns ++endfunc ++ + + set cpo& +diff --git a/src/window.c b/src/window.c +index 7c7f580..c4d97d6 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -1945,6 +1945,8 @@ win_equal_rec( + if (hnc) /* add next_curwin size */ + { + next_curwin_size -= p_wiw - (m - n); ++ if (next_curwin_size < 0) ++ next_curwin_size = 0; + new_size += next_curwin_size; + room -= new_size - next_curwin_size; + } +@@ -5899,7 +5901,8 @@ scroll_to_fraction(win_T *wp, int prev_height) + void + win_new_width(win_T *wp, int width) + { +- wp->w_width = width; ++ // Should we give an error if width < 0? ++ wp->w_width = width < 0 ? 0 : width; + wp->w_lines_valid = 0; + changed_line_abv_curs_win(wp); + invalidate_botline_win(wp); |